| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
151 |
CVE-2011-3646 |
20 |
|
+Info |
2011-11-17 |
2011-11-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
phpmyadmin.css.php in phpMyAdmin 3.4.x before 3.4.6 allows remote attackers to obtain sensitive information via an array-typed js_frame parameter to phpmyadmin.css.php, which reveals the installation path in an error message. |
|
152 |
CVE-2011-3592 |
79 |
|
XSS |
2014-12-25 |
2014-12-29 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the PMA_unInlineEditRow function in js/sql.js in phpMyAdmin 3.4.x before 3.4.5 allow remote authenticated users to inject arbitrary web script or HTML via a (1) database name, (2) table name, or (3) column name that is not properly handled after an inline-editing operation. |
|
153 |
CVE-2011-3591 |
79 |
|
XSS |
2014-12-25 |
2014-12-29 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.4.x before 3.4.5 allow remote authenticated users to inject arbitrary web script or HTML via a crafted row that triggers an improperly constructed confirmation message after inline-editing and save operations, related to (1) js/functions.js and (2) js/tbl_structure.js. |
|
154 |
CVE-2011-3181 |
79 |
|
XSS |
2011-08-29 |
2012-11-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the Tracking feature in phpMyAdmin 3.3.x before 3.3.10.4 and 3.4.x before 3.4.4 allow remote attackers to inject arbitrary web script or HTML via a (1) table name, (2) column name, or (3) index name. |
|
155 |
CVE-2011-2719 |
20 |
|
|
2011-08-01 |
2018-10-09 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
libraries/auth/swekey/swekey.auth.lib.php in phpMyAdmin 3.x before 3.3.10.3 and 3.4.x before 3.4.3.2 does not properly manage sessions associated with Swekey authentication, which allows remote attackers to modify the SESSION superglobal array, other superglobal arrays, and certain swekey.auth.lib.php local variables via a crafted query string, a related issue to CVE-2011-2505. |
|
156 |
CVE-2011-2718 |
22 |
|
Dir. Trav. |
2011-08-01 |
2017-08-28 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
Multiple directory traversal vulnerabilities in the relational schema implementation in phpMyAdmin 3.4.x before 3.4.3.2 allow remote authenticated users to include and execute arbitrary local files via directory traversal sequences in an export type field, related to (1) libraries/schema/User_Schema.class.php and (2) schema_export.php. |
|
157 |
CVE-2011-2643 |
22 |
|
Dir. Trav. |
2011-08-01 |
2017-08-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in sql.php in phpMyAdmin 3.4.x before 3.4.3.2, when configuration storage is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in a MIME-type transformation parameter. |
|
158 |
CVE-2011-2642 |
79 |
|
XSS |
2011-08-01 |
2017-08-28 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the table Print view implementation in tbl_printview.php in phpMyAdmin before 3.3.10.3 and 3.4.x before 3.4.3.2 allow remote authenticated users to inject arbitrary web script or HTML via a crafted table name. |
|
159 |
CVE-2011-2508 |
22 |
|
Dir. Trav. |
2011-07-14 |
2018-10-09 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in libraries/display_tbl.lib.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1, when a certain MIME transformation feature is enabled, allows remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in a GLOBALS[mime_map][$meta->name][transformation] parameter. |
|
160 |
CVE-2011-2507 |
94 |
|
Exec Code |
2011-07-14 |
2018-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
libraries/server_synchronize.lib.php in the Synchronize implementation in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly quote regular expressions, which allows remote authenticated users to inject a PCRE e (aka PREG_REPLACE_EVAL) modifier, and consequently execute arbitrary PHP code, by leveraging the ability to modify the SESSION superglobal array. |
|
161 |
CVE-2011-2506 |
94 |
1
|
|
2011-07-14 |
2018-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array. |
|
162 |
CVE-2011-2505 |
94 |
1
|
|
2011-07-14 |
2018-10-09 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to arbitrary parameters referenced in the query string, which allows remote attackers to modify the SESSION superglobal array via a crafted request, related to a "remote variable manipulation vulnerability." |
|
163 |
CVE-2011-1941 |
20 |
|
|
2012-01-26 |
2012-02-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Open redirect vulnerability in the redirector feature in phpMyAdmin 3.4.x before 3.4.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
164 |
CVE-2011-1940 |
79 |
|
XSS |
2012-01-26 |
2012-11-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.3.x before 3.3.10.1 and 3.4.x before 3.4.1 allow remote attackers to inject arbitrary web script or HTML via a crafted table name that triggers improper HTML rendering on a Tracking page, related to (1) libraries/tbl_links.inc.php and (2) tbl_tracking.php. |
|
165 |
CVE-2011-0987 |
20 |
|
|
2011-02-14 |
2017-08-16 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
The PMA_Bookmark_get function in libraries/bookmark.lib.php in phpMyAdmin 2.11.x before 2.11.11.3, and 3.3.x before 3.3.9.2, does not properly restrict bookmark queries, which makes it easier for remote authenticated users to trigger another user's execution of a SQL query by creating a bookmark. |
|
166 |
CVE-2011-0986 |
20 |
|
|
2011-02-14 |
2017-08-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
phpMyAdmin 2.11.x before 2.11.11.2, and 3.3.x before 3.3.9.1, does not properly handle the absence of the (1) README, (2) ChangeLog, and (3) LICENSE files, which allows remote attackers to obtain the installation path via a direct request for a nonexistent file. |
|
167 |
CVE-2010-4481 |
287 |
|
Bypass +Info |
2010-12-17 |
2011-01-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
phpMyAdmin before 3.4.0-beta1 allows remote attackers to bypass authentication and obtain sensitive information via a direct request to phpinfo.php, which calls the phpinfo function. |
|
168 |
CVE-2010-4480 |
79 |
1
|
XSS |
2010-12-08 |
2011-01-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
error.php in PhpMyAdmin 3.3.8.1, and other versions before 3.4.0-beta1, allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted BBcode tag containing "@" characters, as demonstrated using "[[email protected]@page]". |
|
169 |
CVE-2010-4329 |
79 |
|
XSS |
2010-12-02 |
2011-01-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the PMA_linkOrButton function in libraries/common.lib.php in the database (db) search script in phpMyAdmin 2.11.x before 2.11.11.1 and 3.x before 3.3.8.1 allows remote attackers to inject arbitrary web script or HTML via a crafted request. |
|
170 |
CVE-2010-3263 |
79 |
|
XSS |
2010-09-10 |
2017-08-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in setup/frames/index.inc.php in the setup script in phpMyAdmin 3.x before 3.3.7 allows remote attackers to inject arbitrary web script or HTML via a server name. |
|
171 |
CVE-2010-3056 |
79 |
|
XSS |
2010-08-24 |
2011-01-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 2.11.x before 2.11.10.1 and 3.x before 3.3.5.1 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) db_search.php, (2) db_sql.php, (3) db_structure.php, (4) js/messages.php, (5) libraries/common.lib.php, (6) libraries/database_interface.lib.php, (7) libraries/dbi/mysql.dbi.lib.php, (8) libraries/dbi/mysqli.dbi.lib.php, (9) libraries/db_info.inc.php, (10) libraries/sanitizing.lib.php, (11) libraries/sqlparser.lib.php, (12) server_databases.php, (13) server_privileges.php, (14) setup/config.php, (15) sql.php, (16) tbl_replace.php, and (17) tbl_sql.php. |
|
172 |
CVE-2010-3055 |
264 |
|
Exec Code |
2010-08-24 |
2011-01-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The configuration setup script (aka scripts/setup.php) in phpMyAdmin 2.11.x before 2.11.10.1 does not properly restrict key names in its output file, which allows remote attackers to execute arbitrary PHP code via a crafted POST request. |
|
173 |
CVE-2010-2958 |
79 |
|
XSS |
2010-09-08 |
2010-09-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in libraries/Error.class.php in phpMyAdmin 3.x before 3.3.6 allows remote attackers to inject arbitrary web script or HTML via vectors related to a PHP backtrace and error messages (aka debugging messages), a different vulnerability than CVE-2010-3056. |
|
174 |
CVE-2009-4605 |
|
|
CSRF |
2010-01-19 |
2010-05-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
scripts/setup.php (aka the setup script) in phpMyAdmin 2.11.x before 2.11.10 calls the unserialize function on the values of the (1) configuration and (2) v[0] parameters, which might allow remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. |
|
175 |
CVE-2009-3697 |
89 |
|
Exec Code Sql |
2009-10-16 |
2017-08-16 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the PDF schema generator functionality in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to execute arbitrary SQL commands via unspecified interface parameters. |
|
176 |
CVE-2009-3696 |
79 |
|
XSS |
2009-10-16 |
2017-08-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to inject arbitrary web script or HTML via a crafted name for a MySQL table. |
|
177 |
CVE-2009-2284 |
79 |
|
XSS |
2009-07-01 |
2009-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in phpMyAdmin before 3.2.0.1 allows remote attackers to inject arbitrary web script or HTML via a crafted SQL bookmark. |
|
178 |
CVE-2009-1285 |
94 |
|
|
2009-04-16 |
2009-04-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Static code injection vulnerability in the getConfigFile function in setup/lib/ConfigFile.class.php in phpMyAdmin 3.x before 3.1.3.2 allows remote attackers to inject arbitrary PHP code into configuration files. |
|
179 |
CVE-2009-1151 |
94 |
|
|
2009-03-26 |
2018-10-10 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action. |
|
180 |
CVE-2009-1150 |
79 |
|
XSS |
2009-03-26 |
2009-07-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the export page (display_export.lib.php) in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allow remote attackers to inject arbitrary web script or HTML via the pma_db_filename_template cookie. |
|
181 |
CVE-2009-1149 |
20 |
|
Http R.Spl. |
2009-03-26 |
2009-04-16 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
CRLF injection vulnerability in bs_disp_as_mime_type.php in the BLOB streaming feature in phpMyAdmin before 3.1.3.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the (1) c_type and possibly (2) file_type parameters. |
|
182 |
CVE-2009-1148 |
22 |
|
Dir. Trav. |
2009-03-26 |
2009-04-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in bs_disp_as_mime_type.php in the BLOB streaming feature in phpMyAdmin before 3.1.3.1 allows remote attackers to read arbitrary files via directory traversal sequences in the file_path parameter ($filename variable). |
|
183 |
CVE-2008-7252 |
310 |
|
|
2010-01-19 |
2011-01-28 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 uses predictable filenames for temporary files, which has unknown impact and attack vectors. |
|
184 |
CVE-2008-7251 |
|
|
|
2010-01-19 |
2010-05-06 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 creates a temporary directory with 0777 permissions, which has unknown impact and attack vectors. |
|
185 |
CVE-2008-5621 |
352 |
|
Exec Code Sql CSRF |
2008-12-16 |
2017-09-28 |
6.0 |
User |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in phpMyAdmin 2.11.x before 2.11.9.4 and 3.x before 3.1.1.0 allows remote attackers to perform unauthorized actions as the administrator via a link or IMG tag to tbl_structure.php with a modified table parameter. NOTE: other unspecified pages are also reachable, but they have the same root cause. NOTE: this can be leveraged to conduct SQL injection attacks and execute arbitrary code. |
|
186 |
CVE-2008-4775 |
79 |
|
XSS |
2008-10-28 |
2018-10-11 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in pmd_pdf.php in phpMyAdmin 3.0.0, and possibly other versions including 2.11.9.2 and 3.0.1, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the db parameter, a different vector than CVE-2006-6942 and CVE-2007-5977. |
|
187 |
CVE-2008-4326 |
79 |
|
XSS Bypass |
2008-09-30 |
2009-08-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The PMA_escapeJsString function in libraries/js_escape.lib.php in phpMyAdmin before 2.11.9.2, when Internet Explorer is used, allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms and conduct XSS attacks via a NUL byte inside a "</script" sequence. |
|
188 |
CVE-2008-4096 |
20 |
|
Exec Code |
2008-09-18 |
2017-08-07 |
8.5 |
None |
Remote |
Medium |
Single system |
Complete |
Complete |
Complete |
|
libraries/database_interface.lib.php in phpMyAdmin before 2.11.9.1 allows remote authenticated users to execute arbitrary code via a request to server_databases.php with a sort_by parameter containing PHP sequences, which are processed by create_function. |
|
189 |
CVE-2008-3457 |
79 |
|
XSS |
2008-08-04 |
2017-08-07 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in setup.php in phpMyAdmin before 2.11.8 allows user-assisted remote attackers to inject arbitrary web script or HTML via crafted setup arguments. NOTE: this issue can only be exploited in limited scenarios in which the attacker must be able to modify config/config.inc.php. |
|
190 |
CVE-2008-3456 |
59 |
|
|
2008-08-04 |
2017-08-07 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
phpMyAdmin before 2.11.8 does not sufficiently prevent its pages from using frames that point to pages in other domains, which makes it easier for remote attackers to conduct spoofing or phishing activities via a cross-site framing attack. |
|
191 |
CVE-2008-3197 |
352 |
|
CSRF |
2008-07-16 |
2017-08-07 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site request forgery (CSRF) vulnerability in phpMyAdmin before 2.11.7.1 allows remote attackers to perform unauthorized actions via a link or IMG tag to (1) the db parameter in the "Creating a Database" functionality (db_create.php), and (2) the convcharset and collation_connection parameters related to an unspecified program that modifies the connection character set. |
|
192 |
CVE-2008-2960 |
79 |
|
XSS |
2008-07-02 |
2017-08-07 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.11.7, when register_globals is enabled and .htaccess support is disabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving scripts in libraries/. |
|
193 |
CVE-2008-1924 |
200 |
|
+Info |
2008-04-23 |
2017-08-07 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
Unspecified vulnerability in phpMyAdmin before 2.11.5.2, when running on shared hosts, allows remote authenticated users with CREATE table permissions to read arbitrary files via a crafted HTTP POST request, related to use of an undefined UploadDir variable. |
|
194 |
CVE-2008-1567 |
200 |
|
+Info |
2008-03-31 |
2017-08-07 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
phpMyAdmin before 2.11.5.1 stores the MySQL (1) username and (2) password, and the (3) Blowfish secret key, in cleartext in a Session file under /tmp, which allows local users to obtain sensitive information. |
|
195 |
CVE-2008-1149 |
89 |
|
Sql CSRF |
2008-03-04 |
2017-08-07 |
5.1 |
User |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
phpMyAdmin before 2.11.5 accesses $_REQUEST to obtain some parameters instead of $_GET and $_POST, which allows attackers in the same domain to override certain variables and conduct SQL injection and Cross-Site Request Forgery (CSRF) attacks by using crafted cookies. |
|
196 |
CVE-2007-6100 |
79 |
|
XSS |
2007-11-23 |
2017-07-28 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in libraries/auth/cookie.auth.lib.php in phpMyAdmin before 2.11.2.2, when logins are authenticated with the cookie auth_type, allows remote attackers to inject arbitrary web script or HTML via the convcharset parameter to index.php, a different vulnerability than CVE-2005-0992. |
|
197 |
CVE-2007-5977 |
79 |
|
XSS |
2007-11-14 |
2017-07-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in db_create.php in phpMyAdmin before 2.11.2.1 allows remote authenticated users with CREATE DATABASE privileges to inject arbitrary web script or HTML via a hex-encoded IMG element in the db parameter in a POST request, a different vulnerability than CVE-2006-6942. |
|
198 |
CVE-2007-5976 |
89 |
|
Exec Code Sql |
2007-11-14 |
2017-07-28 |
6.5 |
User |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in db_create.php in phpMyAdmin before 2.11.2.1 allows remote authenticated users with CREATE DATABASE privileges to execute arbitrary SQL commands via the db parameter. |
|
199 |
CVE-2007-5589 |
79 |
|
XSS |
2007-10-19 |
2017-08-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.11.1.2 allow remote attackers to inject arbitrary web script or HTML via certain input available in (1) PHP_SELF in (a) server_status.php, and (b) grab_globals.lib.php, (c) display_change_password.lib.php, and (d) common.lib.php in libraries/; and certain input available in PHP_SELF and (2) PATH_INFO in libraries/common.inc.php. NOTE: there might also be other vectors related to (3) REQUEST_URI. |
|
200 |
CVE-2007-5386 |
79 |
|
XSS |
2007-10-12 |
2018-10-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in scripts/setup.php in phpMyAdmin 2.11.1, when accessed by a browser that does not URL-encode requests, allows remote attackers to inject arbitrary web script or HTML via the query string. |
